Closed Bug 1322925 Opened 9 years ago Closed 9 years ago

Sandboxed iframe has permission on custom protocol

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
1.0 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: s.h.h.n.j.k, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36 Steps to reproduce: 1. Go to https://test.shhnjk.com/sandbox.php?url=/proto.proto.html&s=allow-scripts 2. It will open registered mailer Actual results: If sandboxed iframe is set or redirected to custom protocol (mailto:, tel:, acrobat:, etc), it is handled normally and there is no information to user that who initiated this (parent or sandboxed iframe). This is bad design. Expected results: It should block or at least give information to user that this is initiated from sandboxed iframe.
That is outside the definition of what the <iframe> sandbox attribute does. It may be a good idea but it needs to be brought up as an issue with the standard rather than as a "bug" in only Firefox. The official standard process is via the HTML working group at the W3C, but the unofficial version of the standard maintained by WHATWG is much more active.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
And Gecko tries to follow WhatWG HTML spec, not W3C HTML5 spec.
You need to log in before you can comment on or make changes to this bug.